[Exim] blocking sobig ( and others )

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Chris Edwards
Datum:  
To: exim-users
Betreff: [Exim] blocking sobig ( and others )
As I understand it, every win32 executable starts with the same
byte-sequence. So, why not simply look for its Base64 encoding:

TVqQAAMA (at the start of a line after one blank line; case sensitive)

  deny  condition = ${if match{$message_body:} {  TVqQAAMA}{yes}{no}}
        message = This message appears to contain a Windows executable


There's 2 spaces before the TVqQAAMA - the first matches the blank line,
the second matches the newline. RTFM for $message_body.

This should catch any raw win32 executable. Plausible ?

--
Chris Edwards, Glasgow University Computing Service